What GDPR really means

‘Big Data’ isn’t something that mainstream sci-fi ever really dealt with.

We never considered what would happen if someone leaked Captain Picard’s holodeck history. And it’d be a much shorter movie if Darth Vader found Luke on the Death Star because Han’s phone connected to the WiFi.

But Big Data is here, and governments around the world are starting to give people more control over their personal information. The EU’s General Data Protection Regulation (GDPR) is the latest example.

Now, collecting data isn’t a bad thing in and of itself. All companies collect data to some degree.

But the internet has made it easier (and cheaper) than ever to gather info and intel.

That meant companies started collecting more. They started tracking what we do on their site. Then on other sites. Some started reading our emails. Tracking our location. With automatic opt-ins, and questionable opt-outs.

In short, GDPR exists because some bastards got greedy.

The real definition of GDPR

Before we dive into how you can get GDPR compliant, here’s a simple mnemonic to remember what GDPR really is, and why it exists.

GDPR = Generally Dickish Practice Retirement

  • Is it OK to find email addresses online and just add them in to receive our newsletter? No, because that’s dickish.
  • Shall we hide a pre-ticked opt-in in a 50,000 word page of text so people miss it? Nope, pretty dickish move.
  • Shall we just ignore people who ask to unsubscribe? Nope. Dickish.

Dickish practices got us in this mess, and GDPR is the attempt to get us out of it.

We’ve always believed that honest, open and friendly marketing is way more effective than the sleazy subterfuge kind, and this is a step towards that.

By retiring all those terrible practices that give marketers a bad name, I think marketing won’t just become ‘nicer’ – it’ll do better too.

The really great news is that Generally Dickish Practice Retirement won’t affect you too much if you don’t have any generally dickish practices to retire. If you’re all above board, all is good.

The seven requirements of GDPR

Our content performance team have been trying to figure out what to do about this whole GDPR thing. And they’ve condensed the legislation down into seven broad requirements.

The devil’s in the details, but at least this gives you something for your idle hands to get started with.

1) Make sure data for individuals is collected in a transparent manner

What dickish looks like: Obscuring the fact that you’re going to use their data for marketing.

What good looks like: Being open and honest about why (and how) you’re collecting information. Look at how neatly The Next Web do it.

What you can do: Update all your web sign-up forms to include an opt-in tick box for marketing emails (and don’t do that thing where you pre-tick them).

2) Your data needs to be collected for specified, explicit and legitimate purposes and not processed beyond those

What dickish looks like: Telling them that they’re just signing up for your eBook, then selling their data to the highest bidder.

What good looks like: Let people choose exactly what they receive from you. Give them control and it could actually mean higher opt-in rates for emails (since they know what you’re doing with the data and that they can change their minds later).

If you aren’t going to do vague, illegitimate things with their data – tell them what you are going to do with it.

What you can do: Offer people multiple choices of opt-ins at sign-up, letting them control whether they want functional emails or marketing emails (or both), for instance.

3) Your process needs to allow users to view, change and/or delete relevant stored data themselves

What dickish looks like: Leaving people in the system, even after they’ve asked to be deleted.

What good looks like: There are four kinds of requests a user could make: seeing what data you have, accessing the data to change or update it, moving all their data from you to someone else (a new supplier, for instance), or requesting all data be deleted. You need the systems in place to handle all four.

This is great for marketing too as it gives people the ability to keep their information up-to-date. By showing what you have, you give them the chance to change or delete the stuff that isn’t relevant.

Here’s how we helped our client OpenMarket handle it.

What you can do: Give people the ability to see, update and delete their information with you – and make it easy.

4) Your data needs to be adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed

What dickish looks like: “I know we’re a plumbing business now, but gather everything you can in case we ever pivot into the social media scene.”

What good looks like: Simplify. Instead of hoarding every scrap of info you can get on someone, concentrate on what you can use. Then, when you have it, actually use it to provide the very best experience for your customers.

What you can do: Trim those sign-up forms, keeping only the fields you actually need. Shorter forms take less time, which could mean lower drop-off rates too. Win-win.

5) Your website needs to allow visitors to opt out from web tracking

What dickish looks like: Tracking everyone regardless of preference.

What good looks like: Honour all requests. The rules around cookies changed a while back in the EU (that’s why you now often get messages letting you know a site uses them when you visit). So the main difference under GDPR will be that if someone’s browser is set to opt them out of web tracking, you’ll have to honour this too.

Sample action: Honour any ‘do not track’ requests.

6) Your data needs to be kept only for as long as necessary and for the purposes for which the personal data are processed

What dickish looks like: “We’ve just found an email address from 5 years ago that we haven’t contacted since. I assume they’ve got the same job title and interests that they used to. Let’s go for it.”

What good looks like: Our good friends over at Informatica say that conservative estimates put database decay at around 30% per year (or for B2B sectors with high turnover that could be as high as 70%).

Trimming the now-inactive contacts from your lists will help your open rates and make your marketing more effective because you won’t be talking to customers based on old data. Oh and you’ll avoid massive fines.

What you can do: Work out a timeline for when data gets retired. How long is ‘longer than necessary’? Hard to say. But if someone hasn’t been a customer for nearly a decade, you’ll need a solid rationale for getting in touch.

7) Your data needs to be processed in a manner that ensures appropriate security of the personal data

What dickish looks like: “Yo, Gary, can you email me that spreadsheet of all the client email addresses?”

What good looks like: Up-to-date infrastructure, with people who know how they should be using it.

Sample action: Offer training for all staff on how (and how not) to handle data. That’s not just your database staff, but anyone who handles customer info (for instance, you don’t want your sales staff just adding all their prospects to your mailing list). The most secure infrastructure in the world won’t help if your people aren’t using it correctly.

Marketing Golden Rule

Why GDPR is great for marketing

This isn’t doom and gloom. For good marketers, this is a huge opportunity.

GDPR is like guttering against the deluge of crap marketing. If someone’s receiving rubbish from a company, they have the right (and ability) to make it stop.

But the companies people want to hear from? They can get through without difficulty. And they’ll find a lot less competition in those inboxes.

If you’re making good content and using fair opt-ins, not that much will change. Lies, tricks and general dickishness are the preserve of the mediocre.

Marketing doesn’t have to be a dickish practice.

Need help? Give us a shout

If you’re confused about GDPR and need help, drop our content performance team a line, and they can share what they’ve learnt.


LOL — love reading your guys’ stuff. Thanks for the chuckles, the easy read, and the knowledge.

Thanks for the article! One of the most clear outlines I’ve read. As a small firm that only does business within the US, I’m trying to figure out if/how this will actually affect us…because there’s nothing stopping a member of the EU from signing up for our info (however unlikely that may be).

Hi Sarah, that’s a good point. A major change made by the GDPR is the territorial scope of the new law: Article 3 says that if you collect personal data or behavioral information from someone in an EU country, your company is then subject to the requirements of the GDPR.

To your point, anyone can fill out your web forms (so you’d be collecting their data) or simply visit your site (so you’d be collecting behavioural information if you use cookies on your site).

That’d said, our interpretation is that global marketing does not apply as almost every company today has an online presence. You can’t block EU traffic to your site, right?. If a EU resident simply visits your company website, the GDPR likely would not apply. If, on the other hand, you’re actively providing any services in an EU country or marketing to EU residents, your company should already be in the process of planning for the GDPR.

As Craig outlines on his post, all the requirements in the new law can be considered as “best practices”. So this could be a good moment for you to review your data policies and consider some improvements that, ultimately, can be beneficial for your overall marketing strategy.

Thanks, Agustin, helpful comments!

Leave a comment